Overlapping Wildcard Order Identifiers


Starting this week (Edit: 2018-03-22: This is now active in production) ACME v2 NewOrder requests with overlapping wildcard/non-wildcard identifiers will produce an urn:ietf:params:acme:error:malformed problem response indicating that one of the domain names is redundant with a wildcard domain in the same request. To fix this, the client should submit a revised NewOrder request with the overlapping identifier removed.

We mentioned this briefly in our initial ACME v2 Production Environment & Wildcards announcement post but delays in the implementation meant that we launched without this enforcement in place. Previously acceptable NewOrder requests with overlapping identifiers will be rejected after the enforcement is enabled.

An example of an overlapping NewOrder request is:

  "identifers": [
     { "type": "dns", "value": "*.example.com" },
     { "type": "dns", "value": "www.example.com" }

In the above case the "www.example.com" identifier overlaps with the "*.example.com" identifier and one or the other should be removed.


Wildcard certificates and rate limiting
Domain name "svn.example.com" is redundant with wildcard domain

This change is now active in the production environment.